Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

What is causing the Phase 2 error: Mismatched Proxy ID or Peer ID when connecting through my Site-to-Site VPN? (KB ID: KB9517)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9517

Synopsis

The Phase 2 error: Mismatched Proxy ID or Peer ID is typically caused by a mismatched configuration between the VPN devices.  The steps listed below will assist in troubleshooting the issue.

Problem

VPN is not coming up, it is failing in Phase 2 with error messages regarding a Mismatched Proxy ID or Peer ID.

Solution

To view the flowchart for the steps listed below, select this link:  KB9517 Flowchart

  Is this a Policy-Based VPN?  For further assistance, see KB4124 - Policy-Based VPN vs. Route-Based VPN. Which one do I have configured?

• Yes -Jump to Step 3
• No   - Continue with Step 2

  Do the Proxy ID settings in the AutoKey IKE Advanced page on the Firewall match the Proxy ID settings in the AutoKey IKE Advanced page on the Peer Firewall ?

• Yes - Continue with Step 7
• No   - See KB9518 - How to Check the Proxy and Peer IDs for a Route-Based Site-to-Site VPN that fails Phase 2.

 What is the policy ID number of the policy that is being used for the VPN.  For assistance, see KB9478 - How to Obtain the Policy ID Number for the VPN's Policy. 

• Record Policy ID information for use in a later step. Continue with Step 4.

  Does the remote ID, local ID, and server ID in the error message match what is in the Local Firewall's policy and the Remote Firewall's policy configuration? 

• Yes - Continue with Step 5
• No  - See KB9516 - How to Verify the Policy-Based Site-to-Site VPN Policy Settings Are Correct

  Does the Address book object entry in the Firewall's policy match the values defined in the Address book? 

• Yes - Continue with Step 6
• No  - See KB9501 - How to Confirm the Address Book Entry is Correct.

  Is the "Proxy ID" option, in the AutoKey IKE's Advanced page, deselected? 

• Yes - Continue with Step 7
• No   - See KB9477 - How to ensure the Proxy-ID is Disabled in the Phase 2 Advanced VPN Settings.

 Collect the logs from the Firewall and the NetScreen Remote Client and open a new case with the Juniper Technical Assistance Group.  For assistance, see KB9229 - What information should I collect for a Site-to-Site VPN that won’t come up?

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Troubleshooting

Related Articles

Related Links

• KB9221 - How to Troubleshoot a VPN Tunnel that won't come up

Related Files